I just set up an FTP server using the latest version of FileZilla server. I set up a user and gave them a home directory. If I connect to the server via 127.0.0.1:21 or 192.168.1.42:21 (my local IP), files can be uploaded and downloaded, and everything works as it should. However, when I connect via my external domain name, www.suchipi.com:21, the server connects but directory listing fails. I thought this might be an error with how I set up my A Record, but connecting to my external IP via 75.70.128.37:21 results in the same problem. Port 21 is the only port forwarded. Do I need to further any other ports?

If your firewall has FTP protocol connection tracking, like ip_conntrack_ftp and ip_nat_ftp from netfilter, then you just need to load the proper module and/or specify that you are allowing the FTP protocol (not only port 21).

If the firewall does not support the FTP protocol, then the only option is to configure the FTP server to allow passive mode clients. For this you will need to allow TCP port 21 for control connection and TCP port 20 for data connection. Data connection is used for listing of the folders and for file transfers.

Yes, you need - and there is no static list. FTP has a VERY bad issue: in active mode, the server will connect TO (!) the client on a RANDOM (!) port. YOu need to get the port number from the command stream. Basically you say "List" and the server tries to open a TCP connection TO The client on a RANDOM port to SEND The list. OUCH.

This is why you can put the client into PASSIVE mode, which means all connections are opened from the client, but even then you will need to forward other port umbers.

Generally FTP comes from a time noone thought even of firewalls - and someone made the bad decision to ahve the server put in an active connection to the client.

This works a lot better if you do not PORT FORWARD but use a proper router / firewall that knows how to forward FTP (i.e. not just the TCP session, but handle the content of the TCP session and translate port numbers etc.). Pretty much every sensible firewall should be able to do so - even Linux ones, you just need to stay away from "stupid" tcp forwarding.

TomTom, you missed port 20. He needs that one too, even in passive mode.
–
mfinniMay 1 '12 at 16:52

@mfinni, we got it, no need to spray the downvotes...
–
Bart De VosMay 1 '12 at 17:23

Bart - no spraying at all. I downvoted yours because it's actually wrong. If the clients are only in passive mode, they don't need a high port range open, just 20 and 21. I did not downvote TomTom's; he didn't explicitly include 20, but he hinted at other ports needed even in passive mode, so I just added a comment. Plus, he's right in his final conclusion that FTP just isn't a great protocol to use behind dumb NAT.
–
mfinniMay 1 '12 at 18:44